scottk/secureblue
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/secureblue.git synced 2025-12-15 18:07:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
31b1339fa5b7acda44190cbecde302e18736a9e3
secureblue/files/system/usr/share/ublue-os/just/60-custom.just.readme.md
spaceoden c21a697252 Update 60-custom.just.readme.md to put new kargs in the correct section (#357) 
the new kargs were added to set-kargs-hardening, not set-kargs-hardening-unstable
2024-08-02 13:01:52 -07:00

90 lines
2.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
## Included in set-kargs-hardening
**Zero newly allocated pages and heaps, mitigating use-after-free vulnerabilities**
`init_on_alloc=1`
**Fills freed pages and heaps with zeroes, mitigating use-after-free vulnerabilities**
`init_on_free=1`
**Disables the merging of slabs, increasing difficulty of heap exploitation**
`slab_nomerge`
**Enables page allocator freelist randomization, reducing page allocation predictability**
`page_alloc.shuffle=1`
**Randomize kernel stack offset on each syscall, making certain types of attacks more difficult**
`randomize_kstack_offset=on`
**Disable vsyscall as it is both obsolete and enables an ROP attack vector**
`vsyscall=none`
**Enable kernel lockdown in the strictest mode**
`lockdown=confidentiality`
**Disable CPU-based entropy sources as it's not auditable and has resulted in vulnerabilities**
`random.trust_cpu=off`
**Disable trusting the use of the a seed passed by the bootloader**
`random.trust_bootloader=off`
**Mitigate DMA attacks by enabling IOMMU**
`iommu=force`
`intel_iommu=on`
`amd_iommu=force_isolation`
**Disable IOMMU bypass**
`iommu.passthrough=0`
**Synchronously invalidate IOMMU hardware TLBs**
`iommu.strict=1`
**Enable kernel page table isolation**
`pti=on`
**Only allows kernel modules that have been signed with a valid key to be loaded**
`module.sig_enforce=1`
**Automatically mitigate all known CPU vulnerabilities, including disabling SMT if necessary.**
`mitigations=auto,nosmt`
**Turn on spectre_v2 mitigations at boot time for all programs**
`spectre_v2=on`
**Disable spec store bypass for all programs**
`spec_store_bypass_disable=on`
**Enable the mechanism to flush the L1D cache on context switch.**
`l1d_flush=on`
**Mitigate unprivileged speculative access to data by using the microcode mitigation when available or by disabling AVX on affected systems where the microcode hasnt been updated to include the mitigation.**
`gather_data_sampling=force`
## Included in set-kargs-hardening-unstable
**Fill IOMMU protection gap by setting the busmaster bit during early boot**
`efi=disable_early_pci_dma`
**Disable debugfs to prevent exposure of sensitive kernel information**
`debugfs=off`
Reference in New Issue View Git Blame Copy Permalink